We have talked about using the index to make searches faster. When starting a new investigation, following a few steps will help you get results faster:
- Set the time to the minimum time that you believe will be required to locate relevant events. For a chatty log, this may be as little as a minute. If you don't know when the events occurred, you might search a larger time frame and then zoom in by clicking on the timeline while the search is running.
- Specify the index if you have multiple indexes. It's good to get into the habit of starting your queries with the index name. For example,
index=myapplicationindex error bob
. - Specify other fields that are relevant. The most common fields to specify are
sourcetype
andhost
. For example,index=myapplicationindex sourcetype="impl_splunk_gen" error bob
. If you find yourself specifying the field source on a regular basis, you could probably benefit from defining more source types. Avoid using thesourcetype
field to capture other information...